During a recent client meeting, a question surfaced: “Our Microsoft Secure Score Dashboard shows a 73% rating – that’s pretty good, right?”
At first glance, 73% may seem like a strong score. After all, Microsoft Secure Score assesses the technical security configurations within the Microsoft 365 environment, covering areas like identity management, data protection, device management, and application security. The dashboard offers recommendations to improve security settings, helping elevate technical defenses.
While valuable for IT security, this score only represents part of the full security picture. Microsoft Secure Score provides insight into how well users are interacting with the technology, such as whether they use strong passwords, enable multi-factor authentication (MFA), and manage their devices properly. However, it doesn’t account for broader security factors like your organization’s security policies, incident response protocols, or information classification processes. In other words, it’s a technical assessment focused on IT security—not a holistic view of your organization’s security posture.
What Does 73% Really Mean?
When I explained this to the client, they were surprised: “What do you mean?” I used this analogy to clarify:
“Imagine your technical security is at 73%, but the way it’s implemented doesn’t align with how people actually work. This can lead employees to bypass security measures simply to work more efficiently. For example, shadow IT—a practice where employees use unauthorized tools or software—becomes common when the approved tech doesn’t meet their needs. Another example is sending company data to personal devices because it’s easier than accessing corporate systems from home.”
Seeing 73%, you might think, “We’re doing great!” But, in reality, you may be losing control over the secure processing of your information, as employees process it outside of the established secure channels. While your technology may be configured as the dashboard suggests, your organization could be far from secure due to people operating outside your technical measures and formal processes.
Calculating Your ‘Organization Secure Score’
I then asked about the level of security integration within their work processes and employee awareness about secure data handling. The client was unable to answer, leading me to estimate their “Organization Secure Score” as follows:
(People 0% + Process 0% + Technology 73%) ÷ 3 = 24.33%
This rough calculation got the message across. The client realized that achieving true security requires more than just strong technical defenses.
Microsoft Secure Score: Useful, Yet Limited
Microsoft Secure Score is an excellent tool for evaluating technical security configurations within the Microsoft 365 environment. It provides a good overview of security for identities, devices, and applications, and includes recommendations for strengthening these areas. It even highlights how users engage with technology, tracking practices like MFA use and device management.
Yet, the dashboard is mainly focused on technical IT security. It only indirectly touches on the broader security position of your organization and offers little insight into wider aspects like security policies, process integration, or user behavior beyond IT. To achieve a holistic security approach—one that is both technically and operationally robust—you need to look beyond the technical dashboard and consider frameworks like ISO 27001 or NIST, which cover governance, impact analysis, risk management, and compliance. It’s essential to tailor these frameworks to fit your organization, avoiding impractical measures that could hinder operations.
The Complete Picture
A 73% Microsoft Secure Score shows how well your technology is set up, including how users handle security elements like password policies and MFA. However, it doesn’t reveal the state of broader processes like incident response or information classification.
- People: While the dashboard shows how users engage with technology, it doesn’t offer a complete view of their security training and awareness outside of the technical sphere.
- Processes: The dashboard monitors technical processes like patch management but lacks depth in organizational processes such as information governance and risk assessment, which are critical to a comprehensive security framework.
Conclusion: Technology is Only Part of the Puzzle
A 73% rating on your Microsoft Secure Score Dashboard may seem reassuring, but it only tells part of the story—the technical side. To gain a true “Organization Secure Score,” you need to include people and processes. Without this complete picture, you remain exposed to significant risks.